[Closed] Serious IT help needed!

Thanks everyone, this is helping me a lot. I've never been in such a stressful situation!

There is some form of filtering software as nobody can access the likes of facebook etc. I'm using a desktop machine, our network is a Novell server and that's about as far as my knowledge of it all goes. And yes, they use Internet Explorer.

This morning I was wondering (I have a lot of time to think just now) if someone could be putting something on my machine? But then I find that pretty weird behaviour for someone?

I also find it weird that a site like that could be accessed at all at any work place. Having never seen it until I got home, it's not something I have any interest in.

It's most weird that your firm is in one respect taking this seriously (they've sent you home) and in another respect don't seem to know their asses from their elbows (havent provided any "real" evidence that you did this). Sounds like a dodgy company, with an even dodgier IT infrastructure and a really crap HR dept. Good luck, dont let it get you down. Truth will prevail, if it doesnt then a tribunal will see sense. Just make sure you keep posting updates, there are loads of IT folk on here who have vastly more knowledge than the cowboys at your work.

I will indeed keep you posted.

The knowledge on here is a great help as my knowledge on this is pretty much nil.

I'm about to get in touch with a colleague who a good while ago was having various problems with his PC. Programms would crash all the time etc. I'm seem to recall that IT tried running spybot - nothing found and problems persisted. They tried something else and it got worse. In the end I think they just took it away and formatted the machine and then returned it?

Cheers

[i]If your company is using IE browser then that is lame .... tell them to start using Firefox with NoScript extension as bare minimum.[/i]

That would go down like a lead-balloon at my place. I doubt IT would appreciate the 'advice' from somebody who has admitted that they don't understand this stuff. Strangely my employer runs IE just fine (although I choose not to at home)

I get this alot, "IE is crap" "dont use it" etc

IE is the only browser that can be centrally managed and updated in corporate environments. The hundreds of config and security settings can be controlled by group policies very quickly and easily. And how would a corporate cope with patch management if they used Firefox?

Bottom line, IE is the only candidtate for big firms who take control and security seriously.

Do I use ie at home, no, would I consider using non-ie browsers at my firm, no

Get your collegue to check Help and About in IE, get the [u]whole[/u] version number. This should be something line 7.0.5730.11 and will tell you how up to date the security updates in IE are. Also, what brand Anti Virus are you running, and when was it last updated? If you can get your collegue to check Windows Update on ANY PC in the office this would be a good gauge to see how patched the PC's are too. I suspect everything is out of date and vulnerable to attack.

I get this alot, "IE is crap" "dont use it" etc

IE is the only browser that can be centrally managed and updated in corporate environments. The hundreds of config and security settings can be controlled by group policies very quickly and easily. And how would a corporate cope with patch management if they used Firefox?

Totally agree, they seem too lax in their approach to IT to then be bothered enough to send the guy home. Very strange

as TandemJeremy hasn't popped 'in' I'll say it....'can you join a union' / get some professional advice (not us lot!)- especially if your employer might use this to reduce their head-count.
May I suggest another post e.g. 'Employment Law Help Required' as you might attract a different crowd to your post.

I have an update - I shall post it later when I get the chance.

Right, I have some form of report through the post now. The letter states 'you viewed sites showing pornographic and grotesque images such as; dontclickthis.whatingods.name & meatrolled'

Now, I know this is not the case. The meatrolled is a new one to me too.

They have given me a list which is some sort of log and goes like this:

04/03/2009 12:21 dontclickthis.whatingods.name (then IP address) my name, my office, file size

The list continues, in the space of one minute there is:

mlehworld.com (yes, I use this)
ww.scotroutes.com (never heard of)
images.fotopic.net (I know what this site is)
ww.comedy-zone.net (never heard of)
i41.tinypic.com (never heard of)
ww.meatrolled.com (never heard of)
ww.infoslash.net (never heard of)
ww.infoslash.net (it's on twice)
files.adbrite.com (never heard of)
ads.grx.adbrite.com (never heard of)
ads.adbrite.com (never heard of)
graphics.pop6.com (never heard of)
banners.adultfriendfinder.com (never heard of)
ww.meatrolled.com (never heard of)
graphics.adultfriendfinder.com (never heard of)
ww.meatrolled.com (again)
ww.meatrolled.com (again)

Then 2 minutes later it's hotmail, which I have an account with.

I've looked at 17 sites in one minute! What on earth is going on here? I use Mlehworld both at work and at home, never had a problem. What I don't understand is that everyone of the other sites I have no idea of? This is all I have from them.

I'm now finding it all very bizzarre, I still don't have a clue what's going on and from looking through the list they have given me I know for sure that I have not seen, been or done any of this!

Can anyone shed some light on this for me please?

Many thanks

Please note - I have edited the www so that they don't link. I haven't looked at any of them and don't intend to. I don't want anyone here clicking them.

I am not too up on the technicalities but I think certain files and links are opened when you visit certain sites (it could be from Mlehworld but not sure). I am pretty sure that the 'ads.adbrite.com' is an advert on a page like the ones at the top of this page.

Someone will no doubt be along shortly to confirm/ridicule me!

That is a list of requests made from your browser - doesn't mean that you made them.

When you load up a page, if there are links to other sites for in-line images, ads etc. the browser makes them without your intervention. That is what that list looks like. If they are allowing scripts through the firewall, then it's even worse.

I would second the suggestion of getting a union rep involved if you can. That evidence needs to be reviewed carefully.

Ok - I've just had a look.

Those dontclickthis domains are where some users on mlehworld forums are hosting their avatars.

So basically, when you go into a forum topic, your browser requests all the users avatars and the inline pics - hence all the weird and wonderful domains.

*Edited to remove the scotsroute bit*

Someone's hopped onto your PC whilst you turned your back

or

You machine has unknown malicious software installed

or

You did this yourself

or

They've falsified the logs

You never clarified the points regarding your firm's patch management, or the anti virus, or the how strict your password policy is?? This would be useful if you want anymore advice mate 😕

Agree with the last poster, no harm in doing another post headed Empolyment Law Advice etc

what shakey said. It sounds like a load of hooey to me - I'm not sure your IT department know what they're doing.

It looks there's been a host of pop-up windows opened linking through a lot of the above sites. Does their url list show clicks through a particular site?

There's nothing you can do if an 'innocent' (ie. mlehworld) webpage opens a popup (via an advert or scripting) to abadpornsite.comy - you're going to get stuck with that url on your log. This could be done via malware or viruses. HOWEVER - if you clicked through some of the content this would be obvious - ie. you're on badpornsite.com/index.html and click a link to > badpornsite.com/grannysubsection.html then they'd have a case to argue.

Just my 2p's worth. I can't believe that they're continuing with this on this basis. ..

If it's going to that many sites that quickly, I'd suspect some sort of Adware or malware.

I'd be asking how your name is linked to those sites and get them to prove it

Also you must take someone else in with you to the 'interview'. Record the interview as well

I don't think it's from Mlehworld as I use it at home too and have never seen any of these sites listed.

I just checked by going to it there, Mleh has no adverts at all on their site.
I'm even more confused?...

doesn't have to be from mlehworld - could be from a dodgy spam email via hotmail.

have people been hosting dodgy images on mlehworld? When you have opened a forum thread, the images may have been embedded by a forum poster and your browser will have nipped off to the dodgy site toi collect them.

I think that will be a big part of your problem, you're visiting a largely unpoliced forum using your work computer.

"Ok - I've just had a look.

Those dontclickthis domains are where some users on mlehworld forums are hosting their avatars.

So basically, when you go into a forum topic, your browser requests all the users avatars and the inline pics - hence all the weird and wonderful domains. "

Okay, this makes some sense to me now.

I'll find out about their antivirus software and repost...

So in the interests of investigation i logged into them all, well all that aren't pop-up and adware managers.

The only one of any significance is meatrolled.com, which is an interesting one. It locks you out, sings round and around at the top of its voice and shows a nice picture of some bird getting it. Ie advertises to all an sundry in your office that you are watching porn. It won't let you close the window with the normal tabs, and the only option is to give it the 3 finger salute or turn off.

The site solely exists to send your mates to to get them into trouble at work. very funny, but not somewhere you would go unless sent. Unless someone was trying to screw you over.

At a guess I would say, you do indeed have a virus, trojan etc, or have been hijacked.

Best thing to do would be to ask for another computer and to have work 'test' yours by going to the sites that you normally visit and see what 'appears' as this takes place.

Or they could just be trying to **** you...

Either way you need union/legal advice from outside the company.

Zedsdead - When using Mlehworld you won't see/know whats happening, the links are just open in the background.

When you are interviewed by HR the honesty is your best approach but as been mentioned take a witness and get it recorded.

Seems like your IT dept are good at recording this kind of activity but not at preventing it!

udging by the number of ads.xxx and imnages.xxx I'd hazard a guess that mlehworld.com is hosting adverts that are links to the advertised site.
Specifically, i'd look at adultfrienfinder as your problem. I've seen it before and it's a sex-related site advertised using pictures of naked or near-naked women, no more offensive than say, page 3 of The Sun, but what with breasts and nipples being on display that may be enough to trigger an "obscenity" alert for someone. And, as it's a site that let's you sign up to meet "singles for sex in your area", the context may be your problem.
At home, I would check mlehworld, look at the adverts, are there any iffy ones, if so follow the links to be aware of the context of the adverts so you can at least know what their problem is. Also, if the site id advertising dodgy adult material, then it probably is a dodby site and those files you downloaded were done by the site, not you. your IT people should be aware of this, and you should point this out to you manager/HR people.
Standard practice (for me anyway)was always to havea look at anything suspect and try to place it in a context, but I've also assumed that most people are not so think they would download porn at work so there's a reason why this is happeneing - check it out before assumming the worst.

All the best with it.

Seems like your IT dept are good at recording this kind of activity but not at preventing it!

That's for sure.

That list is also only for top level domains - if they have the complete url that was used at that time e.g. http://mlehworld.com/forum/viewtopic.php?t=xxxxx just entering that into a browser will show them how the images were loaded.

..and another thing WTF are they doing letting you use Hotmail at work? Mail should come through the business mail server and be scanned for viruses on arrival. Opening your systems up to Hotmail (or any external webmail) is competely amateur. Do they not know ho viruses spread?

Well you'd be hard pushed to spread a virus from hotmail unless your internal IT team doesn't keep the AV software up to date or you were allowed to download the email to your PC but again, AV usually sorts that out.

MSN Messenger is far more invasive.

..if someone sends you a file and you open said file, where do any macros or programs execute? AV will sort that out as long as a -it's up to date, which given by what I've read so far, I'd doubt, and b - the AV software recognises the virus, which isn't always the case, and as IT in this case seems to be of the cheapo variety, the AV software may not be the best.

If I wanted to spread a virus, hotmail is one place I'd start.

Zedsdead - could be mleh avatars though. While mleh has no adverts or popups or any of that kind of trash, ppl like forky have all kinds of stuff as avatars from all kinds of places ...

Do you use worksafe at work? If not you should. I do. Under 'profile'. Only the full hilarity can be unfolded at home.

oh and never never click the pictures of cute fluffy bunnies i post.

tard.

Zedsdead - Member

The list continues, in the space of one minute there is:

mlehworld.com (yes, I use this)
www.scotroutes.com (never heard of)

Scotroutes.com is [i]my[/i] domain. If you've been browsing mlehworld and are using a profile which shows avatars, it's likely you've been linked to one of mine.

torsoinalake - Member

*Edited to remove the scotsroute bit*

Give me a clue?

I should also re-iterate - there are no ads on mlehworld, so none of those urls are linked to it - neither is adultfriendfinder. As for the other "dodgy" images you've talked about, it sould like someone has seen the site list and then randomly browsed the dontclickthis domain. That doesn't mean you saw any of the dodgy images. Ask for the full URL, and get them to check the cache on your machine - any browsed images will likely still be in there too.

Thanks, on my work PC some avatars are little red X's. I know wwe can't get Flickr etc so I figure this is why?

re: the dodgy images, funnily enough a mate said the same thing, he reckons they've just clicked on a few. They're pretty random things!

I don't know the full url - they didn't give me it. I don't think they have it either. However I know I haven't looked at or seen anything like that so I know I can back that up if I get on my pc and look at the history. I also sit right next to a couple of people so they would also have seen it.

Here's another thing,

I start around 7am everyday. I know we aren't to abuse the use of internet (ie; use it too much) so I don't. I only use it at lunch time. So if I really wanted to abuse my pc at work why would I wait until lunchtime in an open plan office? It would be better for me to do it in the morning surely as no one else starts until 9.

This is driving me mad. It's making me pretty angry too....

Oh yeah, our software is 'virus scan enterprise' It hasn't updated since some time last year.
Everyone always gets the message on their PC that it's out of date. But it doesn't connect to update etc. Hasn't for months...

Zedsdead - Member

Thanks, on my work PC some avatars are little red X's. I know wwe can't get Flickr etc so I figure this is why?

re: the dodgy images, funnily enough a mate said the same thing, he reckons they've just clicked on a few. They're pretty random things!

I don't know the full url - they didn't give me it. I don't think they have it either.

Perfect. Tell them to go take a hike. Just because there's some dodgy images on a site, that doesn't mean you've actually looked at them FFS.

PS - do you have a mleh login? If so, you should set your profile to "worksafe"

Your firm should be focusing on their shitty IT not the end-users. Do you mean your AV software is McAfee VirusScan Enterprise? I think you're being used a a scapegoat mate, better get some employment-law advice. If you can get the full internet explorer browser version like I said yesterday, I'll be able to confirm that the browser is unpatched, which if your AV is out of date means there will be any number of malware/viruses etc on your PC. Get a collegue to check Windows Update on another PC to see what High Priority Update/Critical Updates are outastanding. I think that ultimately in this situation the best form of defence is attack, get all the facts outlining their lax security and be very clear that this wasnt your doing and you will take this as far as you need to legally.

Sounds like you've copped it due to mleh image links then....

Tricky one!

Surely all they have to do is open up the page from mlehworld's forum and right click view source...

(this is from my profile on here, which links to an image held externally to the singletrack site)

<div id="useravatar">< [b]img alt="" src = "http://www.gravatar.com/avatar/77f885b7950f8eb87d725b72bab69a99?s=80&d= http%3A%2F%2Fwww.gravatar.com%2Favatar%2Fad516503a11cd5ca435acc9bb6523536%3Fs%3D80&r=g" class = "photo avatar avatar-80" style = "height:80px; width:80px;"[/b] /></div>

that way, hopefully they'll see that those links loaded automatically from the site and you weren't trawling pr0n.

The mlehworld avatars will be cached locally on your hard drive (saves downloading them every time you visit the webpage), hence the connection to 14 sites in one minute etc. That's why your IT dept. thinks you’ve downloaded Dead polar bear pron!

Take a look in the internet cache it should be very colourful!!

Even if you deleted the internet cache within IE 7, index.dat holds a list of all the website you've ever been to!!!

Oh FFS - if they don't know the page URL, what hope do they have? Fact is, mleh is fairly self-policing when it comes to avatars etc and any nasty ones get blocked as NSFBN (Not safe for Barrys Nephew). Having said that, there's obviously no guarantee what other images are on the same (linked) site, but if you don't go looking for them, then you'll never find them.

Now then, about this adultfriendfinder stuff - possibly linked from Hotmail?

And what about those ads?

toons - Member

The mlehworld avatars will be cached locally on your hard drive (saves downloading them every time you visit the webpage), hence the connection to 14 sites in one minute etc. That's why your IT dept. thinks you’ve downloaded Dead polar bear pron!

Take a look in the internet cache it should be very colourful!!

Even if you deleted the internet cache within IE 7, index.dat holds a list of all the website you've ever been to!!!

that's why I use Firefox!

druidh - I initially thought that a mleh banner was hosted on scotsroute, but it wasn't, so edited it out (I jumped to conclusions, much like a certain IT department). I didn't think it looked like the type of domain to be serving up panda necro porn.

As for the adultfriendfinder stuff, don't forget that the avatar linked from a random servers could be redirected at any time. So when your browser asks for hxxp://www.haxx0rsrus.com/kittenguts.gif it will get the AFF URL and run off after that.

I'm fortunate to work in a place that doesnt really monitor what sites you view and when. They dont appear to ban any IPs etc, but this does raise some interesting points. Due to work commitments and other reasons I'm about to stop using STW and a couple of other forums during the day, but I know that having searched for raelly random stuff like ceramic insulators I've "revealed" some stuff I'd not be comfy with on a work PC - it's all too easy. And you have no way of proving you didn't go hunting for it AFAIK. This leads me to think that ultimately the companys IT dept have to take responsibility for allowing content through, but overall I dont see why the end user should be blamed - if you need net access for your job you run the risk of downloading something.dodgy.com, the company must accept that, or prevent it themselves.

I very much doubt it came from Mleh - for the simple reason it hasn't happened to anyone else. Zedsdead - contact Yojimbo on mleh - he is the uber it geek overlord and should be able to help

🙄

Thanks people, at least I have a better understanding of how this stuff works now. Seems to be better than our IT dept's understanding!

I'll let you know how I get on tomorrow. 9am is the meeting...